Letsencrypt on Ubuntu for ERPNext and Frappe

This is a continuation of ( https://cloud.erpgulf.com/blog/support-forum/installing-erpnext-version-14-on-ubuntu-22+ ) and part of a series. The explanation can be seen on Youtube.com/ERPGulf

 · 2 min read

Let's do Letsencrypt for ERPNext now


This article is a continuation of https://cloud.erpgulf.com/blog/blogs/erpnext-version-14-install-in-production-mode-nginx-supervirso-gunicorn



    sudo service nginx stop

  1. sudo apt install certbot -y
  2. sudo apt install certbot python3-certbot-nginx
  3. sudo certbot certonly -a nginx -d yoursite.example.com   (  You may get "unknown log format "main" at this stage. Please read the footnote to resolve this )


You will get message like this

Congratulations! Your certificate and chain have been saved at:

 /etc/letsencrypt/live/example.com/fullchain.pem


Now you have certificate here in this folder /etc/letsencrypt/live/


Edit nginx configuration file. In our case /etc/nginx/conf.d/frappe-bench.conf


Goto the server section, change port 80 to 443 ( or whatever port you want )

Below added/edited lines are in GREEN letters below that violet line


server {

    listen 443 ssl;



    server_name

        yoursite.example.com

        ;


    root /opt/bench/frappe-bench/sites;



    ssl_certificate   /etc/letsencrypt/live/yoursite.example.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/yoursite.example.com/privkey.pem;

    ssl_session_timeout 5m;

    ssl_session_cache shared:SSL:10m;

    ssl_session_tickets off;

    ssl_stapling on;

    ssl_stapling_verify on;

    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

    ssl_ecdh_curve secp384r1;

    ssl_prefer_server_ciphers on;



    add_header X-Frame-Options "SAMEORIGIN";

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    add_header X-Content-Type-Options nosniff;

    add_header X-XSS-Protection "1; mode=block";


Restart nginx

service nginx restart


Now you have an https site.


You can see here the full file for nginx/frappe https://github.com/ERPGulf/docs/blob/main/frappe-bench.conf

Also you need forwarders to forward from http to https and/or cut www part. It is here. put it on conf.d folder https://github.com/ERPGulf/docs/blob/main/redirect.conf


Next part is making sure letsencrypt get renewed every three months.



crontab -e

add this line

15 3 * * * /usr/bin/certbot -a nginx renew --quiet


vim /etc/letsencrypt/cli.ini

add this line deploy-hook = systemctl reload nginx


You can use this command to make sure

  1. sudo systemctl status certbot.timer

It should report " Started Run certbot twice daily "


Try a dry-run for renewal. You should get a "Congratulations" message.

  1. sudo certbot -a nginx renew --dry-run 

 

Happy hosting.


Let us know your feedback


Add another site on the same ERPNext server https://cloud.erpgulf.com/blog/linux-and-cloud/adding-antoher-site-on-ubuntu-22-erpnext-14


------------------------------

Note 1: *

If you face problem with nginx because of log type error ( log type main not found or something like that )


sudo vim /etc/nginx/nginx.conf and add following on http section.


log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';

-----------------------


Published on
Team ERPGulf

The team behind ERPGulf blogs here, expresses their thoughts, shares the experience, often show the frustrations. Contact us on support@ERPGulf.com

Add a comment
Ctrl+Enter to add comment
R
raj 1 year ago

getting error when try to renew the the certificate

F
Foram Shah 1 year ago

Hello Everyone,

I am trying to link the SSL Certificate to my bench. I have a bench of the 15th version.

{ “dbname”: “dbname”, “dbpassword”: “dbpassword”, “dbtype”: “mariadb”, “encryptionkey”: “key”, “serverscriptenabled”: 1, “usertypedoctypelimit”: { “employeeselfservice”: 30 }, “domains”: [ { “domain”: “subdomain.domain.ai”, “sslcertificate”: “/home/pc/Documents/Certificate/subdomain.domain.ai.crt”, “sslcertificatekey”: “/home/pc/Documents/Certificate/subdomain.domain.ai.key” } ] }

This is my site_config.json.

I have a certificate that has been purchased from the emsign, I don’t want to create a new one with Let’s Encrypt.

Please guide me on how to configure the certificate.

N
Nay 2 years ago

THANK YOU SIR. This series saved me hours of frustration (worked with current v15 and Python 3.11)!

S
Yenten 2 years ago

This is a great tutorial with clear instructions in yutube video. I have been searching for how to install ssl in custom port other than port 443. It's helps me lots. Thank you sir.

A
Administrator 3 years ago

ERPNextTips

Cerbot maynot work in python 3.10
So do the following step. vim /usr/bin/certbot change the line #!/usr/bin/python3 to: #!/usr/bin/python3.8